Splunk Phantom default credentials, script options, and sample configuration files
This section has the default Splunk Phantom credentials, script options and example configuration files.
Default credentials
The default credentials on a new installation of Splunk Phantom are:
SSH accounts for virtual machine image (.OVA), unprivileged installations
- Username: phantom
- Password: password
Web Interface
- Username: admin
- Password: password
The default credentials of a new AMI installation of Splunk Phantom are:
SSH accounts:
- Username: phantom
- Password: None. You must use the SSH key created when deploying the AMI version of Splunk Phantom.
Web Interface
- Username: admin
- Password: <full AWS instance ID>
You should change the default passwords immediately after you install Splunk Phantom.
Installation or configuration scripts
This section lists various installation scripts and their command line options.
phantom_tar_install.sh options
Use these arguments to control the phantom_tar_install.sh script. Only use this to install Splunk Phantom as an unprivileged user.
| Option | Argument | Description |
|---|---|---|
| install | --https-port=HTTPS_PORT | Set the custom HTTPS port for Splunk Phantom. |
| --no-prompt | Run the script without a confirmation prompt. | |
| --without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
| --no-space-check | Do not check for available space in /tmp before attempting to install. | |
| upgrade | --no-prompt | Run the script without a confirmation prompt. |
| --without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
| --no-space-check | Do not check for available space in /tmp before attempting to install. |
Below is an example command that will install Splunk Phantom without installing any of the apps that ship with Splunk Phantom:
phantom_tar_install.sh install --without-apps
phantom_setup.sh options
Use these arguments to control the phantom_setup.sh script.
| Option | Argument | Description |
|---|---|---|
| install | --no-prompt | Run the script without a confirmation prompt. |
| --without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
| --no-space-check | Do not check for available space in /tmp before attempting to install. | |
| --non-root | Run the watchdog daemon with reduced privileges. | |
| --yumopts="..." | Additional parameters to pass to yum. | |
| --mingit | Installs a minimal Git package without the Perl Git module. | |
| --rhsc-psql | Installs PostgreSQL from Red Hat Source Collections. | |
| --version | Specify which version of Splunk Phantom to install. | |
| upgrade | --no-prompt | Run the script without a confirmation prompt. |
| --without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
| --no-space-check | Do not check for available space in /tmp before attempting to install. | |
| --non-root | Run the watchdog daemon with reduced privileges. | |
| --yumopts="..." | Additional parameters to pass to yum. | |
| --version | Specify which version of Splunk Phantom to install. |
make_server_node.pyc options
Use these options to control the make_server_node.pyc command.
| Argument | Description |
|---|---|
| --version | Displays the program's version number. |
| --help | Display a list and description of arguments. |
| --no-prompt | Run the program. Do not display the warning prompt. |
Convert an OVA install of Splunk Phantom into a server node for a cluster. A server node provides one or more of the services a cluster requires, such as proxy, database, file share, or search endpoint.
| Argument | Description |
|---|---|
| all | This is the default option. Install HAProxy, PostgreSQL, GlusterFS, and Splunk on this node. This option creates a best effort version of mcn_responses.json to be used with make_cluster_node.pyc.
|
| fs | Create and configure a single node GlusterFS file share on this node for Splunk Phantom. The directory tree starts with /opt/phantom/shared.
|
| db | Create the Splunk Phantom PostgreSQL database on this node to act as an external database. |
| proxy | Install HAProxy to act as a load balancer for the Splunk Phantom cluster. |
| splunk | Install Splunk Enterprise to act as remote search endpoint for the cluster. |
make_cluster_node.pyc options
Convert an OVA install of Splunk Phantom into a cluster node for a cluster. A cluster node is a single instance of Splunk Phantom supported by one or more server nodes.
| Argument | Description |
|---|---|
| --responses | Send prepared responses from mcn_responses.json or responses.json to the script.
|
| --record | Create to a responses.json file to use when running this script on another node. This version of the file does contain passwords.
|
| --record-no-secret | Create to a responses.json file to use when running this script on another node. This version of the file does not contain passwords.
|
| --record-location | Set the location to record the responses.json file. The default is /opt/phantom/bin/response.json.
|
| --delete-responses-file | Delete the responses file used from the machine with the script completes. |
| --version | Show the program version number and exit. |
Some versions of the responses.json file contain passwords. The mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.
Configuration files
This section contains example configuration files. Use these as a guide when configuring items for use in your Splunk Phantom deployment.
HAProxy Configuration
##--------------------------------------------------------------------
## HAPROXY 1.8.7 CONFIGURATION FILE
##--------------------------------------------------------------------
#---------------------------------------------------------------------
# global settings
#---------------------------------------------------------------------
global
tune.ssl.default-dh-param 2048
log 127.0.0.1:514 local0
#---------------------------------------------------------------------
# common defaults
#---------------------------------------------------------------------
defaults
mode http
timeout connect 0ms
timeout client 0ms
timeout server 0ms
log global
#---------------------------------------------------------------------
# SSL w/ redirect to HTTPS
#---------------------------------------------------------------------
frontend localhost
bind *:80
bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers <ciphers go here>
# for unprivileged installs, add another declaration
# bind *:<your https port> ssl crt /etc/haproxy/certificates no-sslv3
# no-tlsv10 ciphers <ciphers go here>
redirect scheme https if !{ ssl_fc }
mode http
default_backend nodes
#---------------------------------------------------------------------
# backend (output)
#---------------------------------------------------------------------
backend nodes
mode http
balance roundrobin
option http-keep-alive
option forwardfor
cookie SRVNAME insert
option httpchk GET /check HTTP/1.1\r\nHost:\ www.example.com
http-check expect status 200
default-server fastinter 1s downinter 5s
server <phantom node UUID> <IP Address>:443 cookie <phantom node UUID> check ssl verify none
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
| Migrate a Splunk Phantom install from REHL 6 or CentOS 6 to RHEL 7 or CentOS 7 |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Download manual
Feedback submitted, thanks!